Skip to main content Skip to complementary content
Qlik Resources

User directory connectors Advanced LDAP properties

The following property groups are available for user directory connectors of the type Advanced LDAP.

Identification

All fields are mandatory and must not be empty.

Identification properties
Property Description
Name

The name of the UDC configuration, defined from the QMC.

Type

The UDC type.

User sync settings

User sync properties
Property Description Default value
Sync user data for existing users
  • When selected, only the existing users are synchronized. An existing user is a user who has logged in to Qlik Sense and/or been previously synchronized from the configured directory service.
  • When not selected, all the users, defined by the properties for the UDC, are synchronized from the configured directory service. You can create a filter to Active Directory, ApacheDS, Generic LDAP, or Advanced LDAP, if you only want to synchronize a selection of users.
Information noteThe user attributes are only synced when a user logs in to the hub. Even if you delete the user in the QMC, the active session is still valid for the user that has been deleted. If the hub is only refreshed, the user is added to the database, but without any attributes.

Selected

Connection

LDAP connection properties
Property Description Default value

User directory name

Must be unique, otherwise the connector will not be configured. The name of the UDC instance (to be compared to the domain name of an Active Directory). Together with the user's account name, this name makes a user unique.

Information noteNot entered manually for Active Directory.
  

Host

Hostname with port separated by “:”

If hostname is the IP address, add the following value in the Flags field: no_fqdn.

Use port 3268/(If LDAPs: 3269) for Global catalog search.

Check the corresponding ports open to LDAP server from the Qlik Sense installed server for the access.

 company.com:port
User name

The optional user ID used to connect to the directory server.

Format: Domain name\User name

Information noteIf user name and password are empty, the user will be considered as an Anonymous user.
  
Password

The optional password for the user.

Information noteIf user name and password are empty, the user will be considered as an Anonymous user.
  
Timeout (seconds) Connection timeout in seconds. 500
Base DN Base DN in LDAP to select. cn=builtin,dc=company,dc=com
Information note When a user creates an Active Directory connector, the connector will only work if the user running the Qlik Sense services is allowed to access the directory server. If the user running the Qlik Sense services is not allowed to access the directory server, a user name and a password that allows access to the directory server must be provided.

Advanced

The Advanced property group contains the advanced LDAP connector properties in the Qlik Sense system.

LDAP advanced properties
Property Description Default value
Page size

Determines the number of posts retrieved when reading data from the data source. When the specified number of posts have been found, search is stopped and the results are returned. When search is restarted, it continues where it left off.

Tip note If the user synchronization is unsuccessful, try setting the value to '0' (zero), which is equal to not doing a paged search.

2000 (For ApacheDS: 1000)
Use optimized query

This property allows Qlik Sense to optimize the query for directories containing many groups in proportion to the number of users retrieved.

Warning noteTo be able to use the optimization, the directory must be set up so that the groups refer to the users. If the directory is not set up correctly, the optimized query will not find all groups connected to the users.

This property is only visible for Generic LDAP, Advanced LDAP, and Active directory search (Active Directory always uses optimization).

 Not selected
Timeout (seconds) The timeout for reading data from the data source. 400
Authentication type

Authentication type to connect to LDAP.

Options: Anonymous, Basic, Negotiate, NTLM, Digest, Sicily, DPA, MSN, External, Kerberos.

-
Flags

Flags to mention LDAP connection session settings. Multiple values can be specified, comma separated.

Tcpkeepalive: Enables TCP keep-alive.

Autoreconnect: Enables Autoreconnect.

Rootdsecache: Enables the internal RootDSE cache.

Sealing: Enables Kerberos encryption.

Secure socket layer or ssl: Enables secure socket layer on the connection.

Signing: Enables Kerberos encryption.

Connectionless: Specifies whether the connection is UDP.

No_fqdn: Use this flag if host in the Host field is given as an IP address.

noclientcert: Skip the default callback function used to specify client certificates when establishing an SSL connection.

NoCertVerify: Skip server certificate verification when an SSL connection is established.

Information noteDon't use NoCertVerify and Certdebug together.

Certdebug: Get specific server certificate validation errors, if any, for debugging.

AllProps: Fetch all attributes of the LDAP object.

enablePaging: Use pagination when retrieving users from the user directory server. The size of the chunks is defined by the Page size property. The page size must be less than or equal to the MaxPageSize value on the user directory server.

 -
Locator flags

Locator flag for DC locator. Multiple values can be specified, comma separated.

None

ForceRediscovery

DirectoryServiceRequired

DirectoryServicePreferred

GCRequired

PdcRequired

IPRequired

KdcRequired

TimeServerRequired

WriteableRequired

GoodTimeServerPreferred

AvoidSelf

OnlyLdapNeeded

IsFlatName

IsDnsName

ReturnDnsName

ReturnFlatName

 -
Search LDAP filter Optional LDAP filter query. -
Protocol version LDAP protocol version to use. 3
Simple authentication and security layer (SASL) method

SASL Binding method:

gssapi

external

gss-spnego

digest-md5

 -
Certificate path Path of the client certificates to send for authentication. -

Directory entry attributes

Information noteThe directory entry attributes are case-sensitive.
LDAP directory entry attribute properties
Property Description Default value

Type

The attribute name that identifies the type of directory entry (only users and groups are used by the LDAP UDC). objectClass
User identifier

The attribute value of the directory entry that identifies a user.

 inetOrgPerson
Group identifier The attribute value of the directory entry that identifies a group. group
Account name The unique user name (within the UDC) that the user uses to log in. sAMAccountName
Email The attribute name that holds the emails of a directory entry (user). mail
Display name The full name of either a user or a group directory entry. name
Group membership

The attribute indicates direct groups that a directory entry is a member of. Indirect group membership is resolved during the user synchronization.

This setting, or the one below, Members of directory entry, is allowed to be empty, which means that the group membership is resolved using only one of the two settings.

 memberOf
Members of directory entry

The attribute name that holds a reference to the direct members of this directory entry.

See also the Group membership setting, above.

 member
Custom attributes Extra LDAP object attributes to be retrieved.  

Tags

Tags properties
Property Description
Tags
Tip noteIf no tags are available, this property group is empty.

Connected tags are displayed under the text box.

Did this page help you?

If you find any issues with this page or its content – a typo, a missing step, or a technical error – let us know how we can improve!

Leave your feedback here